Bug#4673: ppp insecure
On Fri, 25 Oct 1996, Bernd Eckenfels wrote:
> Ian Jackson in Debian-Bug#4673
> > Furthermore, I have doubts as to whether pppd was designed to be
> > installed setuid. Are there any facilities for limiting which options
> > can be set by unprivileged users, and if not why are they not
> > documented ?
pppd needs to setuid root or run by root to work, since it needs to
update different things, like the routing table etc.
> > It seems likely to me that pppd wasn't designed for setuid use and
> > that installing it setuid will allow any user to get root by for
> > example having pppd write logs to unusual places or whatever.
No, just the pppd started by any user will have a root ownership. But
there are not too many scripts which are automatically run by pppd, all
of those must be in specific places (e.g. /etc/ppp/ip-up), so just making
sure that those files are not writable (or even readable) by users should
make it safe.
---
M Shariful Anam <shuman@kaifnet.com>
Kaifnet Services -- Bangladesh
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: